Bug#914370: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2019-01-27 Thread intrigeri
Control: severity -1 minor Guten Abend Christian, hi again everyone! (some AppArmor stuff first, then a question for the CUPS folks) Christian Boltz: > My guess is that John meant something like that: > /etc/cups/** Cx -> trap, > profile trap { > # intentionally left empty > } Ah,

Bug#914370: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2019-01-27 Thread Christian Boltz
Hello, Am Sonntag, 27. Januar 2019, 15:01:40 CET schrieb intrigeri: > John Johansen: > > Policy can be adjusted to include trap profiles that will attach > > to binaries executed out of these directories. The trap profile > > can grant limited to no permissions. > > [...] > > short term: confine

Bug#914370: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2019-01-27 Thread intrigeri
Hi John & others, John Johansen: > Policy can be adjusted to include trap profiles that will attach > to binaries executed out of these directories. The trap profile > can grant limited to no permissions. > [...] > short term: confine users & a trap profile(s) on the /etc/cups dir I was not able

Bug#914370: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2018-12-19 Thread John Johansen
On 12/16/18 6:05 AM, intrigeri wrote: > Hi, > > (+ AppArmor upstream mailing list as I don't feel sufficiently > knowledgeable to provide authoritative answers or guidance) > > Didier 'OdyX' Raboud: >> Le jeudi, 22 novembre 2018, 19.05:19 h CET deb...@dbwats.plus.com a écrit : >>> The AppArmor

Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2018-12-16 Thread intrigeri
Hi, (+ AppArmor upstream mailing list as I don't feel sufficiently knowledgeable to provide authoritative answers or guidance) Didier 'OdyX' Raboud: > Le jeudi, 22 novembre 2018, 19.05:19 h CET deb...@dbwats.plus.com a écrit : >> The AppArmor profile supplied with cupsd isn't much use against

Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2018-11-25 Thread Didier 'OdyX' Raboud
Control: tags -1 +confirmed +help Le jeudi, 22 novembre 2018, 19.05:19 h CET deb...@dbwats.plus.com a écrit : > The AppArmor profile supplied with cupsd isn't much use against local > attackers, as it allows cupsd to create setuid binaries at paths it > can write to (e.g. under /etc/cups). Since

Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

2018-11-22 Thread debbug
Package: cups-daemon Version: 2.3~b5-2 Severity: normal Dear Maintainer, The AppArmor profile supplied with cupsd isn't much use against local attackers, as it allows cupsd to create setuid binaries at paths it can write to (e.g. under /etc/cups). Since cupsd is run as root by default, these